Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Case No. CLASS ACTION COMPLAINT
Lesley Weaver (Cal. Bar No.191305) Angelica M. Ornelas (Cal. Bar No. 285929) Joshua D. Samra (Cal. Bar No. 313050) BLEICHMAR FONTI & AULD LLP 555 12th Street, Suite 1600 Oakland, CA 994607 Tel.: (415) 445-4003 Fax: (415) 445-4020 [email protected] [email protected] [email protected]
Mitchell M. Breit (pro hac vice to be sought) Jason ‘Jay’ Barnes (pro hac vice to be sought) An Truong (pro hac vice to be sought) Eric Johnson (pro hac vice to be sought) SIMMONS HANLY CONROY LLC 112 Madison Avenue, 7th Floor New York, NY 10016 Tel.: (212) 784-6400 Fax: (212) 213-5949 [email protected] [email protected] [email protected] [email protected]
Laurence D. King (Cal. Bar No. 206423) Mario Choi (Cal. Bar No. 243409) KAPLAN FOX & KILSHEIMER LLP 1999 Harrison Street, Suite 1560 Oakland, CA 94612 Tel.: (415) 772-4700 Fax: (415) 772-4707 [email protected] [email protected] Attorneys for Plaintiffs
David A. Straite (pro hac vice to be sought) Aaron L. Schwartz (pro hac vice to be sought) KAPLAN FOX & KILSHEIMER LLP 850 Third Avenue New York, NY 10022 Tel.: (212) 687-1980 Fax: (212) 687-7715 [email protected] [email protected]
IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION
PATRICK CALHOUN, ELAINE CRESPO, HADIYAH JACKSON and CLAUDIA KINDLER, on behalf of themselves and all others similarly situated,
Plaintiffs, v. GOOGLE LLC,
Defendant.
No. ___________________________
CLASS ACTION COMPLAINT DEMAND FOR JURY TRIAL
PUBLIC REDACTED VERSION WITH PLAINTIFFS’ SENSITIVE PERSONAL
INFORMATION PROVISIONALLY REDACTED PENDING MOTION TO SEAL
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 1 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
TABLE OF CONTENTS
Page
- i - Case No. CLASS ACTION COMPLAINT
I. INTRODUCTION ................................................................................................................ 1
II. JURISDICTION AND VENUE ........................................................................................... 3
A. Personal Jurisdiction ................................................................................................ 3
B. Subject Matter Jurisdiction ...................................................................................... 3
C. Venue ....................................................................................................................... 3
III. THE INTRADISTRICT ASSIGNMENT ............................................................................. 4
IV. PARTIES .............................................................................................................................. 4
V. FACTUAL ALLEGATIONS ............................................................................................... 5
A. Contract Formation .................................................................................................. 5
B. Relevant Contract Terms.......................................................................................... 8
C. Google Improperly Collects Personal Information from Un-Synched Chrome Users Without Consent and in Breach of Contract .................................. 10
1. Definition of Personal Information ............................................................ 10
2. An IP Address + User Agent Is Personal Information ............................... 12
3. Persistent Cookies Are Personal Information ............................................ 13
4. X-Client Data Headers Are Personal Information ..................................... 16
5. Browsing History is Personal Information ................................................. 19
D. Chrome’s Promise Not To Share PI With Google if Not Synched Was Intended To Encourage, Not Diminish, User Engagement .................................... 20
E. How Google Instructs Chrome to Report PI to Google ......................................... 23
F. A Sample Visit to The San Jose Mercury News Website Using Chrome – Comparison Between a “Synched” Session and “Un-synched” Session ............... 28
G. Plaintiffs’ Personal Experiences ............................................................................ 33
H. Google’s Improper Collection of PI from Plaintiffs and Other Un-Synched Chrome Users is a Serious Invasion of the Privacy and is Highly Offensive ........ 50
I. Plaintiffs’ PI Is Property Owned by the Plaintiffs and Has Economic Value ........ 52
J. Plaintiffs Have Suffered Economic Injury ............................................................. 55
K. Google Has Been Unjustly Enriched ..................................................................... 58
VI. CLASS ACTION ALLEGATIONS ................................................................................... 63
VII. COUNTS ............................................................................................................................. 65
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 2 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
TABLE OF CONTENTS (cont’d.)
Page
- ii - Case No. CLASS ACTION COMPLAINT
COUNT ONE WIRETAP ACT: UNAUTHORIZED INTERCEPTION OF ELECTRONIC COMMUNICATIONS ....................................................................... 65
COUNT TWO WIRETAP ACT – UNAUTHORIZED DISCLOSURES BY AN ECS 18 U.S.C. § 2510, et. seq. ..................................................................................... 68
COUNT THREE STORED COMMUNICATIONS ACT – UNAUTHORIZED ACCESS TO STORED ECS COMMUNICATIONS 18 U.S.C. § 2701 ........................... 70
COUNT FOUR STORED COMMUNICATIONS ACT – UNAUTHORIZED DISCLOSURES OF STORED COMMUNICATIONS BY AN ECS 18 U.S.C. § 2701 ................................................................................................................. 72
COUNT FIVE VIOLATION OF THE CALIFORNIA INVASION OF PRIVACY ACT (“CIPA”) Cal. Penal Code §§ 631 ........................................................... 72
COUNT SIX INVASION OF PRIVACY ......................................................................... 74
COUNT SEVEN INTRUSION UPON SECLUSION ....................................................... 76
COUNT EIGHT BREACH OF CONTRACT ................................................................... 77
COUNT NINE BREACH OF THE IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING .......................................................................................... 78
COUNT TEN QUASI-CONTRACT (RESTITUTION AND UNJUST ENRICHMENT) (IN ALTERNATIVE TO CONTRACT CLAIMS)................................ 79
COUNT ELEVEN VIOLATION OF COMPUTER FRAUD AND ABUSE ACT (“CFAA”) 18 U.S.C. §1030(g) ........................................................................................... 79
COUNT TWELVE VIOLATION OF CALIFORNIA COMPUTER DATA ACCESS AND FRAUD ACT Cal. Penal Code § 502 ...................................................... 80
COUNT THIRTEEN STATUTORY LARCENY California Penal Code §§ 484 and 496 .................................................................................................................... 82
COUNT FOURTEEN VIOLATIONS OF THE CALIFORNIA UNFAIR COMPETITION LAW (“UCL”) Cal. Bus. & Prof. Code § 17200, et seq. ........................ 83
COUNT FIFTEEN PUNITIVE DAMAGES Cal. Civ. Code § 3294 ................................ 85
COUNT SIXTEEN DECLARATORY RELIEF 28 U.S.C. § 2201(a) .............................. 85
VIII. PRAYER FOR RELIEF ...................................................................................................... 86
IX. JURY TRIAL DEMAND ................................................................................................... 87
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 3 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 4 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 5 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 1 - Case No. CLASS ACTION COMPLAINT
I. INTRODUCTION
1. This is a nationwide data privacy class action brought by and on behalf of Google
Chrome users who chose not to “Sync” their browsers with their Google accounts while browsing
the web (“Un-Synched Chrome Users”) from July 27, 2016 to the present (the “Relevant Period”).
2. Google expressly promises Chrome users that they “don’t need to provide any
personal information to use Chrome” and that “[t]he personal information that Chrome stores won’t
be sent to Google unless you choose to store that data in your Google Account by turning on
sync[.]”
3. Despite these express and binding promises, Google intentionally and unlawfully
causes Chrome to record and send users’ personal information to Google regardless of whether a
user elects to Sync or even has a Google account.
4. Examples of personal data improperly created and sent to Google by Chrome
include:
a. IP addresses linked to user agents;
b. Unique, persistent cookie identifiers including the Client ID;
c. Unique browser identifiers called X-Client Data Headers; and
d. Browsing history.
5. This Complaint provides specific examples of the personal data flow that Chrome
sent from Plaintiffs’ devices as they used Chrome while not Synched, demonstrating that Chrome
secretly sends personal information to Google even when a Chrome user does not Sync.
6. Google’s contract with Chrome users designates California law, and consistent with
California law, defines “Personal Information” as “information that you provide to us which
personally identifies you . . . or other data that can be reasonably linked to such information by
Google, such as information we associate with your Google Account.”
7. Each category of data identified above is “personal information” because it either
personally identifies the user or can be reasonably linked to such information. Furthermore, Google
affirmatively discloses that it associates data gathered from Chrome with users. Google has
therefore breached its contract with Un-Synched Chrome Users.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 6 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 2 - Case No. CLASS ACTION COMPLAINT
8. The improperly collected web browsing history also consists of electronic
communications that contain content protected by California and federal wiretap laws. Google
collects the content contemporaneously with the communications; Google does not obtain consent
from Un-Synched Chrome Users to intercept these communications; and Google is not a party to
them. Google is thus violating the federal Electronic Communications Privacy Act and analogue
California statutes.
9. Google’s actions are a serious violation of user privacy. Google tracking code is
found on websites accounting for more than half of all internet traffic and Chrome is the dominant
web browser (used on a majority of desktop computers in the United States), giving Google
unprecedented power to surveil the lives of more than half of the online country in real time. And
because some of Google’s third-party tracking cookies are disguised as first-party cookies to
facilitate cookie synching, Google is misrepresenting its privacy practices in ways that have been
successfully challenged by the FTC in the past.1
10. Google’s extensive network of affiliates—Google Sites, Google Apps, Google
Account, Google Drive, Google AdWords—as well as its business partnerships means that sharing
information with Google feeds it into a massive interconnected database of surveillance material.
Google’s surveillance of the Plaintiffs and other Un-Synched Chrome Users directly contradicts its
promises to honor users’ choice not to share data. This is a serious and irreversible invasion of
privacy that is invisible to Google users.
11. Google’s actions also constitute rank theft. Plaintiffs’ PI is a form of property
recognized under California law and has economic value in the marketplace. Taking Plaintiffs’ PI
from their computers without consent is larceny; any profits earned on the PI are unjustly earned at
the expense of Plaintiffs and must be disgorged. Had Google been transparent about its level of
surveillance, user engagement—a key metric for Google’s sales—would have decreased.
12. Google’s actions also constitute unlawful computer intrusion under California and
federal law. Google introduced computer code into Plaintiffs’ computers and caused damage
1 United States v. Google, Inc., 12-cv-4177-SI (N.D. Cal.), complaint dated Aug. 8, 2012, at ¶ 46-47.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 7 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 3 - Case No. CLASS ACTION COMPLAINT
without authorization by turning the computers into surveillance machines that reported Plaintiffs’
personal information, including private web browsing, to Google, in real time.
13. Plaintiffs and the other Un-Synched Chrome Users have suffered privacy harm and
economic harm as a result of Google’s wrongful acts. Plaintiffs therefore bring contract, statutory,
common law and equitable claims against Google for money damages, restitution, disgorgement,
punitive damages and injunctive relief.
II. JURISDICTION AND VENUE
A. Personal Jurisdiction
14. This Court has personal jurisdiction over Defendant because Defendant is
headquartered in this District. Google also concedes personal jurisdiction in the current and prior
general Google Terms of Service. See Exhibits 2 through 4.
B. Subject Matter Jurisdiction
15. This Court has subject matter jurisdiction over the federal claims in this action,
namely the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”), the Stored Communication
Act, 18 U.S.C. § 2701 (“SCA”), the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (the
“CFAA”) and request for Declaratory Relief under 18 U.S.C. § 2201, pursuant to 28 U.S.C. § 1331.
16. This Court also has subject matter jurisdiction over this entire action pursuant to the
Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which
the amount in controversy exceeds $5,000,000, and at least one member of the class is a citizen of
a state other than California or Delaware.
17. This Court also has supplemental jurisdiction over the state law claims in this action
pursuant to 28 U.S.C. § 1367 because the state law claims form part of the same case or controversy
as those that give rise to the federal claims.
C. Venue
18. Venue is proper in this District because the Defendant is headquartered in this
District. In addition, in the current Google general Terms of Service and prior versions, Google
purports to bind Plaintiffs to bring disputes in this District. See Exhibits 2 through 4.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 8 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 9 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 5 - Case No. CLASS ACTION COMPLAINT
laptops and never consented to Chrome sharing her Personal Information, including the contents of
her Internet communications, with Google. Despite her lack of consent and expressly promising
otherwise, Chrome shared Jackson’s personal information with Google, including the content of
her communications. Plaintiff has temporarily stopped using Chrome but wishes to use it again
once Google stops tracking un-synched users.
23. Plaintiff Claudia Kindler is an adult domiciled in California. Plaintiff has used the
Chrome browser on her personal laptop for numerous activities, including exchanging
communications with her banks, healthcare providers, and continuing education providers for her
employment. Kindler has also routinely used the Chrome browser to exchange communications
about politics and more. Plaintiff has not enabled Sync with her Google accounts on her personal
laptops and never consented to Chrome sharing her Personal Information, including the contents of
her Internet communications, with Google. Despite her lack of consent and expressly promising
otherwise, Chrome shared Kindler’s personal information with Google, including the content of
her communications. Plaintiff has temporarily stopped using Chrome but wishes to use it again
once Google stops tracking un-synched users.
24. Google LLC (“Google”) is a Delaware Limited Liability Company based at
1600 Amphitheatre Way, Mountain View, California, whose memberships interests are entirely
held by its parent holding company, Alphabet, Inc. (“Alphabet”), headquartered at the same
address. Alphabet trades under the stock trading symbols GOOG and GOOGL. Alphabet generates
revenues primarily by delivered targeted online advertising through the Google LLC subsidiary.
All operations relevant to this complaint are run by Google LLC.
25. In this Complaint, “Google” refers to Google LLC unless otherwise specified
V. FACTUAL ALLEGATIONS
A. Contract Formation
26. The current contract governing the relationship between Google and Chrome with
respect to Chrome consists of three documents: the Google general Terms of Service dated
March 31, 2020 (Exhibit 4) (“General TOS”); the Google Chrome and Chrome OS Additional
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 10 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 11 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 12 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 8 - Case No. CLASS ACTION COMPLAINT
34. At all times during the Relevant Period, therefore, the Chrome Privacy Notice was
a part of the contract between Plaintiffs and Google and supersedes any conflicting term in the
General TOS.
B. Relevant Contract Terms
35. The Chrome Privacy Notice represents that it is the place where users can “Learn to
control the information that’s collected, stored, and shared when you use the Google Chrome
browser[.]” See Ex. 33.
36. In the Chrome Privacy Notice, Google promised that Chrome would not send any
Personal Information to Google unless the Chrome User affirmatively chose to Sync the browser
with his or her Google Account.
37. Specifically, from June 2016 to present, all versions of the Chrome Privacy Notice
have promised that “You don’t need to provide any personal information to use Chrome.” See
Exs. 17-33.
38. In addition, all versions of the Chrome Privacy Notice have promised that Chrome
will not send Personal Information to Google unless the Chrome user chooses to Sync the browser
with his or her Google account:
a. From January 30, 2019 to the present, Google promises that “the personal
information that Chrome stores won’t be sent to Google unless you choose to
store that data in your Google Account by turning on sync.” See Exs. 28-33.
b. From September 24, 2018 to January 30, 2019, Google promised that “the
personal information that Chrome stores won’t be sent to Google unless you
choose to store that data in your Google Account by turning on Chrome
sync.” See Exs. 25-27.
c. Prior to September 24, 2018, the Chrome Privacy Notice promised “The
personal information that Chrome stores won’t be sent to Google unless you
choose to store that data in your Google Account by signing in to Chrome.
Signing in enables Chrome’s synchronization feature.” See Exs. 17-24.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 13 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 14 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 15 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 11 - Case No. CLASS ACTION COMPLAINT
Personal information includes, but is not limited to, the following if it identifies, relates to,
describes, is reasonably capable of being associated with, or could be reasonably linked, directly
or indirectly, with a particular consumer or household:
a. Identifiers such as a real name, alias, postal address, unique personal
identifier, online identifier, internet protocol address, email address, account
name, social security number, driver’s license number, passport number, or
other similar identifiers;
b. Any categories of personal information described in subdivision (e) of
Section 1798.80.
c. Characteristics of protected classifications under California or federal law;
d. Commercial information, including records of personal property, products
or services purchased, obtained, or considered, or other purchasing or
consuming histories or tendencies;
e. Biometric information;
f. Internet or other electronic network activity information, including, but not
limited to, browsing history, search history, and information regarding a
consumer’s interaction with an internet website, application, or
advertisement;
g. Geolocation data;
h. Audio, electronic, visual, thermal, olfactory, or similar information;
i. Professional or employment-related information;
j. Education information, defined as information that is not publicly available
personally identifiable information as defined in the Family Educational
Rights and Privacy Act (20 U.S.C. § 1232(g); 34 C.F.R. Part 99);
k. Inferences drawn from any of the information identified in this subdivision
to create a profile about a consumer reflecting the consumer’s preferences,
characteristics, psychological trends, predispositions, behavior, attitudes,
intelligence, abilities, and aptitudes.”
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 16 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 12 - Case No. CLASS ACTION COMPLAINT
Cal. Civ. Code § 1798.140(o)(1) (emphasis added).
44. The Google general Privacy Policy also expressly tracks the California statutory
definition of “personal information,” defining it as “information that you provide to us which
personally identifies you, such as your name, email address, or billing information, or other data
that can be reasonably linked to such information by Google, such as information we associate
with your Google Account.” See Ex. 16 (emphasis added).
45. The following data qualifies as personal information when Google code instructs
the Google Chrome browser to report it to Google:
a. IP addresses linked to user agent;
b. Session and Persistent cookie identifiers;
c. X-client-data headers; and
e. Browsing history and information regarding a consumer’s interaction with
an Internet website.
46. Google is reasonably capable of linking IP addresses (including those linked to user
agent), persistent cookie identifiers, X-client-data headers, and web browsing history and
information regarding a consumer’s interaction with an Internet website, and, in fact, does link such
information with individual consumers and their devices.
2. An IP Address + User Agent Is Personal Information
47. An IP address is a number that identifies a computer connected to the Internet.
48. IP addresses are used to identify and route communications on the Internet.
49. An IP address is not the same thing as a URL.
50. IP addresses of individual Internet users are used by Internet service providers,
websites, and tracking companies to facilitate and track Internet communications.
51. Google tracks IP addresses associated with specific Internet users.
52. Google is capable of and does in fact associate specific users with specific IP
addresses. For example, when a user signs into a Gmail account, Google associates the personal
information connected with that email account to the IP address in question.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 17 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 13 - Case No. CLASS ACTION COMPLAINT
53. Even if a specific IP address is shared by multiple devices on a single network,
Google is capable of and does, in fact, associate specific users with specific IP addresses. Google
does so through its use of other identifiers tied to an IP address, including User-Agent, which is a
list of properties identifying a device within a network.
54. Because Google collects the IP Address and user agent information together, Google
can identify a user’s individual device even if more than one device shares the same IP Address.
3. Persistent Cookies Are Personal Information
55. A cookie is a small text file that a web-server can place on a person’s web browser
and computing device when that person’s web browser interacts with the website server.
56. Cookies can perform different functions. Eventually, some cookies were designed
to acquire and record an individual Internet user’s communications and activities on websites across
the Internet.
57. Cookies are designed to and, in fact, do operate as a means of identification for
Internet users.
58. In general, cookies are categorized by (1) duration and (2) party.
59. There are two types of cookies classified by duration:
a. “Session cookies” are placed on a user’s computing device only while the
user is navigating the website that placed and accesses the cookie during a
single communication session. The user’s web browser deletes session
cookies when the user closes the browser.
b. “Persistent cookies” are designed to survive beyond a single Internet-
browsing session. The party creating the persistent cookie determines its
lifespan. As a result, a persistent cookie can acquire and record a user’s
Internet communications for years and over dozens, hundreds, or thousands
of websites. Persistent cookies are sometimes called “tracking cookies.”
60. Cookies are also classified by the party that uses the collected data:
a. “First-party cookies” are set on a user’s device by the website with which
the user is exchanging communications. For example, Google uses cookies
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 18 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 14 - Case No. CLASS ACTION COMPLAINT
on users’ browsers when users’ directly visit Google properties such as
Gmail. First-party cookies can be helpful to the user, server, and/or website
to assist with security, log-in, and functionality.
b. “Third-party cookies” are set on a user’s device by website servers other than
the website or server with which the user is exchanging communications.
For example, the same Gmail user might also have cookies on their Chrome
browser that are set by Google’s other services such as Google Ads or
Google Doubleclick. Unlike first-party cookies, third-party cookies are not
typically helpful to the user. Instead, third-party cookies are typically used
for data collection, behavioral profiling, and targeted advertising.
61. Google uses several cookies to identify specific Internet users and their devices,
including the following:
SID HSID
These cookies contain digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time. They are unique and persistent on a user’s device for two years or more.
_Secure-SSID _Secure-HSID
These cookies are “secure” cookies that Google sets and accesses when a user signs into a Gmail account and does not formally log-off even after the user has left the Gmail website. They are unique and persistent on a user’s device for six months or more.
NID The NID cookie contains a unique ID Google uses to remember user preferences and other information, including, for example, how many search results they wish to have shown per page and whether they have Google’s SafeSearch filter turned on. NID is also used to help customize ads on Google properties, like Google search. NID is unique and persistent on a user’s device for two years or more.
SSID APISID SAPISID
These cookies are unique and persistent on a user’s device for two years or more. Google does not publicly state their purpose.
_Secure-3PSID _Secure-APISID Secure-3PAPISID
These cookies are “secure” cookies that Google sets and accesses when a user signs into a Gmail account and does not formally log-off even after the user has left the Gmail website.
IDE Google uses the IDE cookie for advertising. It is unique and persistent on a user’s device for two years or more.
DSID Google also uses the DSID cookie for advertising. It is unique and persistent on a user’s device for two years or more.
62. Google also engages in a controversial practice known as “cookie synching” which
further allows Google to associate cookies with specific individuals. With cookie synching, first-
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 19 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 15 - Case No. CLASS ACTION COMPLAINT
party cookies are set by websites with which users are directly interacting, but then those first-party
websites also pass that cookie values along to Google Analytics, where Google takes the personal
information it has about the user’s particular browser and links the Google Analytics first-party
cookie information to Google’s own third-party cookies and the user’s browsing.
63. Based on an Internet security policy known as the same-origin policy, web-browsers
are supposed to prevent different entities from accessing each other’s cookies. For example, at the
San Jose Mercury News website, Google would be prevented from accessing the new site’s “first-
party” cookie values. And vice-versa, the San Jose Mercury News would be prevented from
accessing Google.com’s third-party cookie values.
64. However, Javascript source code running on a webpage can bypass the same origin
policy protections by sending a putative ‘first-party’ cookie value in a tracking pixel to a third-party
entity. This technique is known in the Internet advertising business as “cookie synching.”
65. Cookie synching allows cooperating websites to learn each other’s cookie
identification numbers for the same user. Once the cookie synching operation is complete, the two
websites exchange information that they have collected and hold about a user, further making these
cookies “Personal Information.”
66. The Google cookie-synching cookie is called “cid,” which is short for the “Client
ID” that Google assigns to a specific user. As Google admits in its Google Analytics documentation
for web-developers, the cid cookie is personal information:
In order for Google Analytics to determine that two distinct hits belong to the same user, a unique identifier, associated with that particular user, must be sent with each hit. The analytics.js library accomplishes this via the Client ID field, a unique, randomly generated string that gets stored in the browser’s cookies, so subsequent visits to the same site can be associated with the same user.7
67. Chrome shares the Client ID value with Google regardless of a user’s Sync status or
log-in status with Google Ads, Google Doubleclick, and Google Analytics. Even worse, Chrome
shares Google’s cid cookie value with Google even when third-party cookies are blocked.
7 https://developers.google.com/analytics/devguides/collection/analyticsjs/cookies-user-id.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 20 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 16 - Case No. CLASS ACTION COMPLAINT
Disguising third-party tracking cookies as first-party cookies is a deceptive privacy practice already
successfully challenged by the FTC when Google attempted it in 2011. United States v. Google, Inc.,
12-cv-4177-SI (N.D. Cal.), complaint dated Aug. 8, 2012, at ¶ 46-47.
68. In addition to sending Google the “CID” cookie value, Chrome also sends cookie-
synched values for Google cookies named _gads ID, _gcl_au/auiddc, and _gid to Google.
4. X-Client Data Headers Are Personal Information
69. The x-client-data header is an identifier that when combined with IP address and
user-agent, uniquely identifies every individual download version of the Chrome browser.
70. The x-client-data identifier is sent from Chrome to Google every time users
exchange an Internet communication, including when users log-in to their specific Google
accounts, use Google services such as Google search or Google maps, and when Chrome users are
neither signed-in to their Google accounts nor using any Google service.
71. Chrome has created and sent the x-client-data identifier to Google with every
communication users exchange since at least March 6, 2018.
72. The x-client-identifier is not disclosed in any term of service or privacy policy
operative at any time.
73. It is also not hyperlinked to any of these policies and the average, reasonable
Chrome user had no reason to know of its existence.
74. Google first publicly admitted to the existence of the x-client-data identifier to the
tech community in a document called the Chrome Privacy White Paper, published on March 6,
2018. The White Paper assisted developers on the “read” side—or surveillance side—with
developing products that could extract this information and further pair it with existing data.
75. The White Paper is authored by Google and makes several admissions relevant to
this action, as well as furthering the impression that Chrome was not sending personal information
to Google in violation of its express promises.
76. The White Paper begins by stating, “This document describes the features in
Chrome that communicate with Google, as well as with third-party services (for example, if you've
changed your default search engine).”
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 21 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 17 - Case No. CLASS ACTION COMPLAINT
77. Despite claiming the it would “describe[] the features in Chrome that communicate
with Google[,]” the White Paper does not disclose that Chrome sends users’ personal information
to Google regardless of whether users are logged-in to their Google Sync account or not.
78. Initially, the White Paper falsely represented that the x-client data identifier, which
it called a “Chrome-Variations header” did “not contain any personally identifiable information
and will only describe the state of the installation of Chrome itself, including active variations, as
well as server-side experiments that may affect the installation.”8
79. However, on September 24, 2018, researcher and technologist Vincent Toubiana
with ARCEP (a French Telecom regulator), who runs the blog www.unsearcher.org, took notice of
X-client-data. What he learned alarmed him:
“The x-client-data header
This is probably the most problematic header and I did not see it mention anywhere else than in the whitepaper. Most users are not aware of it but this header is sent with every request sent to Google services (and only Google services) to do A/B testing. Google services include most Google domains, including Doubleclick. Even when Google is a third party, the header is sent. Because it’s a header and not a cookie, it is sent even when you block cookies.
. . . .
So not only does this header may [sic] have some privacy implications, it makes the browser not neutral as it gives more data to Google services.
…
Conclusion
. . . by using custom headers, Google is less and less dependent on third party cookies. I would not be surprised if Chrome started to block third party cookies. Actually this may be in Google financial interest to do that.9
8 https://web.archive.org/web/20180505082442/https://www.google.com/chrome/privacy/whitepaper.html
9 https://unsearcher.org/more-on-chrome-updates-and-headers
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 22 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 18 - Case No. CLASS ACTION COMPLAINT
80. On January 14, 2020, Google announced that Chrome would be phasing out the use
of third-party cookies over two years. Google cynically claimed that its decision was driven by the
fact that “[u]sers are demanding greater privacy—including transparency, choice, and control over
how their data is used.”10 Left unsaid was the fact that Chrome’s x-client header can now uniquely
identify a majority of web-browsers in the United States, and Google does not need tracking
cookies anymore. Now that Google controls both the online ad market and the browser market
simultaneously, blocking third-party cookies simply blocks competing trackers, while Google has
a method to continue back-door tracking through the unique browser identifier created and
disclosed by its browser without any notification to users.
81. In addition to uniquely identifying Plaintiffs’ browsers, Google also uses the x-
client-identifier to track them across other Google services. For example, on February 4, 2020,
Arnaud Granal, the developer of the Kiwi Browser (a Chromium-based alternative browser for
Android) discovered and disclosed that x-client-data is “a unique ID to track a specific Chrome
instance across all Google properties,” including, in his example, YouTube and Doubleclick.11
82. Similarly, Kyle Bradshaw at www.9to5google.com explained the x-client-data
identifier “is sent to those Google servers regardless of whether you’re logged in with your Google
Account or not, which could theoretically tie your logged-out browsing back to your Google
Account.”12
83. Bradshaw further explained, “Putting it all together, the accusation being leveled
against Google by the tech community is that the company is making it harder for competing ad
networks and other third-parties to track your browsing while their own purported tracking method
is able to continue uninhibited.” Regardless of the impact on competitors, the impact on Plaintiffs
and the Class is significant—they cannot escape this new and even more secretive form of
surveillance.
10 https://blog.chromium.org/2020/01/building-more-private-web-path-towards.html
11 https://github.com/w3ctag/design-reviews/issues/467#issuecomment-581944600
12 https://9to5google.com/2020/02/06/google-chrome-x-client-data-tracking/
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 23 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 19 - Case No. CLASS ACTION COMPLAINT
84. Following the revelations above, Google quietly amended its White Paper to remove
its false representations about the x-client header. For example, on March 12, 2020, in an article
called “Google Backpedals on Claim that X-Client-Data Doesn’t Contain PI Information,” it was
reported by VPN Overview:
Originally the information about the X-Client-Data header in the whitepaper was as follows: “A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.” In the latest version of the whitepaper, the text stating that the X-Client-Data header doesn’t contain any PI information has been removed.13
85. VPN Overview further explained:
The fact that Google may be tracking users through the X-Client-Data header, is in itself of concern. However, it is not the most important issue here. Google probably has other means for tracking users. Of greater concern is the fact that Google did not disclose what it was using the header for. Google is tracking users without their knowledge, which is a violation of users’ privacy. Furthermore, the original description of the header’s use was incredibly inaccurate and likely to have been in breach of legal compliance requirements.
86. As of the date of filing, Google still has not fixed the Chrome Privacy Notice, the
Google general Terms of Use, or the Google Privacy Policy to accurately disclose the X-Client-
Data identifier and its uses.
5. Browsing History is Personal Information
87. Browsing history consists of a record of a communication or communications that
a user exchanges on the Internet and includes both the content of the communication or
communications and data associated with it, such as the time of the communication or
communications.
88. California law defines “personal information” to include browsing history,
specifically, “Internet or other electronic network activity information, including, but not limited
13 https://vpnoverview.com/news/google-backpedals-on-claim-that-x-client-data-doesnt-contain-pi-information/
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 24 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 20 - Case No. CLASS ACTION COMPLAINT
to, browsing history, search history, and information regarding a consumer’s interaction with an
internet website, application, or advertisement.” Cal. Civ. Code § 1798.140(o)(1)(F).
89. Google also defines “personal information” to include browsing history in the
Chrome Privacy Notice.
D. Chrome’s Promise Not To Share PI With Google if Not Synched Was Intended To Encourage, Not Diminish, User Engagement
90. Google’s motivation to breach its privacy promises to Un-Synched Chrome Users
was to increase user engagement and increase revenue for Google. Higher user engagement means
more revenue in that moment for Google, and also more data about the users that can lead to more
revenue. By promising more privacy, Google induces more private sharing, which is a more
profitable kind of user engagement.
91. “User engagement” is the degree to which users find products, services and
processes interesting or useful. It is typically measured by time spent interacting with products and
user satisfaction with that time spent. Engagement can be measured by a variety or combination of
activities such as downloads, clicks, interactions, shares, and more.
92. Examples of “engagement” data include:
a. For social or traditional media sites: daily usage, views, time on page, pages
per visit, ad clicks, searches, comments, or shares;
b. For streaming music apps: daily usage, time spent in app, songs listened to,
playlists created, friends added;
c. For an e-commerce store: monthly usage, adding items to cart;
d. For a personal finance app: weekly usage, sync bank accounts, create a
budget, enable notifications, view dashboard; and
e. Enterprise software: Monthly usage, create reports, share reports, invite
users.
93. Examples of specific metrics used by online entities to track this engagement include
daily active users (DAU), cost-per-acquisition, and ROI. The relative value of these metrics varies
by business. For example, high engagement via views or clicks might be good for a news site but
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 25 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 21 - Case No. CLASS ACTION COMPLAINT
not for an insurance app, where more usage might suggest that a user is about to file a claim. Higher
engagement leads to higher profits when additional activity leads to purchases, signups,
subscriptions, ad views, or clicks.
94. Product and marketing teams typically measure user engagement to understand the
factors that contribute to higher engagement and use product analytics measure what features affect
user behavior. Product analytics and active user engagement data important selling points to
advertisers and those who will pay to influences user behavior, whether that is to purchase
something, vote or take some other action.
95. By inducing more personal and more active engagement, Google can therefore
increase its profitability. Because this is a revenue-generating exercise, analytics teams at Google
are incentivized to engage in detailed analysis of both how to stimulate more engagement, and also
the value of each kind of engagement and the data that it generates. Put differently, specific user
engagement are assigned economic value.
96. By analyzing user flow—where users spend time, how they interact with others,
when they disengage with a site or app or maybe interested in paying more to upgrade—Google
can learn valuable insights into how to influence users’ choices and how to target them for Google’s
partners. User flow is analyzed by using precisely the metrics at issue in this action.
97. Indeed, Google was a pioneer in this field, and Google products help developers
create Engagement Scores for users.14 In June 2011 Google acquired PostRank, specifically
because PostRank had an effective tool for measuring user engagement. According to a Google
spokesperson at that time, Google is “always looking for new ways to measure and analyze data,”
and PostRank would help “make this data more actionable and accountable [through] an innovative
approach to measuring web engagement [that can ] help us improve our products for our users and
advertisers.15
14 https://www.chromium.org/developers/design-documents/site-engagement
15 https://techcrunch.com/2011/06/03/google-acquires-postrank-an-analytics-service-for-the-social-web/
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 26 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 22 - Case No. CLASS ACTION COMPLAINT
98. As applied here, the data that Chrome has sent to Google in violation of its promises
not to do so is integral to the calculation of users’ engagement scores. It can also be tied to specific
profitability.
99. The most powerful of all of these may be the x-client-referrer header, described
above. Because it is all-pervasive and impossible to remove from users’ activity, the richness of
the data Google collects has higher value than disconnected data points of less robust detail.
100. By targeting advertising at users who have a higher amount of “tracked”
engagement, Google can increase the profits they make from gathering that data.
101. An “untracked” user may only be shown generic ads. Such ads, in turn, tend to yield
a lower engagement rate and therefore generate less profit for Google. A “tracked” user’s browsing,
in contrast, yields greater data for Google to target and is also a more lucrative target in its own
right. The more active a user is, the more vulnerable to targeting she is, and more valuable as well.
102. In addition, promising a user that she is free from tracking induces a different set of
expectations and also a different kind of engagement. Specifically, one would expect a user to
engage more actively and more intimately under the belief that she is untracked. She may also
engage with different types of content than she would if she knew she were being surveilled,
exposing them as relevant for further categories of valuable advertising.
103. Tracking users’ engagement across Google’s advertising products also allows
greater optimization of those advertising products, with respect to those individual users, to increase
the likelihood of their future engagement with ads, further increasing Google’s ability to generate
profit.
104. By sending to Google Un-Synced Chrome users’ data reflecting their behavior,
Google is able to draw a more complete picture of those users, even when they had not opted-in to
such tracking.
105. All of this results in concrete, ascertainable financial gain for Google, directly
attributable by the increased user engagement. Those profits can be identified and quantified;
indeed, teams of analysts at Google are engaged in precisely this process.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 27 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 23 - Case No. CLASS ACTION COMPLAINT
E. How Google Instructs Chrome to Report PI to Google
106. Chrome is a web-browser—a software application that enables users to exchange
electronic communications over the Internet.
107. Every website is hosted by a computer server through which the entity or person in
charge of the website exchanges communications with Internet users via users’ web-browsers.
108. The process through which Chrome transmits communications between users and
the first-party websites with which users are communications is called packet-switching.16
109. The prior technology through which phone communications were transmitted was
called circuit-switching. With circuit-switching, the service provider would establish a single
pathway (or circuit) through which the content of a communication would flow between the parties
to the communication. The problem with circuit-switching is that, if the single path becomes
blocked, the communication fails.
110. Enter packet-switching. With packet-switching, there is no single, dedicated path
through which the contents of a communication flow. Instead, the contents of a communication are
broken down into dozens, hundreds, or thousands of packets—each of which is routed over a
network with different paths to the destination. Each packet contains part of the content and
information about its destination. Each packet travels independently to the destination and every
packet may travel by a different route to the destination. As the packets arrive, they are arranged
by the device to which they are sent. Only at the end are they put both together and the
communication formed. The path of each packet, and the order in which each packet arrives, is not
relevant to the ultimate success of a communication. Some packets may get stopped in the
process—in which case they are resent down a different path.
111. Packet-switching is now ubiquitous. For example, all 4G and 5G voice or data
communications are made via packet-switching technology.
112. Thus, although common imagination may suppose that a modern cellphone call or
internet communication involves a direct line of communication between the participants to the
16 Packet-switching is also explained in U.S. v. Szymuszkiewicz, 622 F.3d 701, 704 (7th Cir. 2010).
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 28 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 24 - Case No. CLASS ACTION COMPLAINT
communication, that is not true at all. Through packet-switching, the contents of the communication
are broken down into dozens, hundreds, or thousands of different packets that are exchanged
through separate pathways between the parties to the communication.
113. On the Internet, when a user begins a communication with a website, the user’s
browser starts and continues several processes all at once. These simultaneous processes include:
a. sending contents of the users’ side of the communication to the website;
b. receiving and rendering the website’s side of the communication;
c. placing the content of the communication in temporary and intermediate
storage, and;
d. in some cases, re-directing the contents of the communication to third-parties;
114. The basic commands that Chrome uses to send the users’ side of a communication
are called GET and POST requests.
115. When a user types https://www.mercurynews.com/2020/05/24/qa-mental-health-
tips-for-handling-the-pandemic/ into her browser (or takes the technological shortcut of clicking a
hyperlink), Chrome contacts the website hosting the Mercury News and sends the following
communication: “GET 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic/”.
116. If instead the user were filling out a form on that website and clicks a button to
submit the information in the form, Chrome similarly makes connection with the website server
but instead sends a “POST” request that includes the specific content that the user placed in the
form.
117. When a user clicks a hyperlink or hits ENTER to send a communication, Chrome
determines whether it is a GET or POST request based on the source code within the browser or
the current website with which the user is communicating. The browser then simultaneously:
a. Places the contents of the GET or POST request in storage in the browser’s
web-browsing history and short-term memory; and
b. Connects to and begins a back-and-forth the two-way communication
exchange between the user and the website.
118. Chrome stores the contents of the communication for at least two purposes:
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 29 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 25 - Case No. CLASS ACTION COMPLAINT
a. content is placed in the browser’s short-term memory so that, if the user’s
web-browser crashes unexpectedly, when the user re-starts their browser, the
browser will be able to offer the user the ability to return to their last
communications prior to the browser’s crash; and
b. The content is placed in the user’s browsing history and the user’s future
reference for 90 days.
119. For short-term memory, if Chrome crashes unexpectedly and the user re-opens it,
Chrome provides the user with the following options at the upper right-hand side of the screen:
120. This short-term storage is for purposes of back-up protection.
121. The storage for 90 days in the user’s browsing history is temporary, intermediate
storage incidental to the contemporaneous transmission of the communication.
122. In response to receiving a GET or POST request from a user, the server for the
website with which the user is exchanging a communication will send a set of instructions to
Chrome, commanding Chrome with source code on:
a. How to render the website’s portion of the communication; and
b. In some cases (up to 86 percent of popular websites), using source code
provided by Google and specifically designed to command the Chrome to
contemporaneously re-direct the precise content of the GET or POST part of
the communication to Google and its various entities attached to personal
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 30 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 26 - Case No. CLASS ACTION COMPLAINT
information and other browser-generated data about the content of the
website’s portion of the communication.
123. Google instructs developers to place its source code that commands Chrome to
contemporaneously re-direct the contents of the communication exchanged between the user and
the website to Google in the website’s header—i.e., before the website’s instructions regarding the
contents of its side of the communication. For example, for Google Tag Manager, Google instructs
developers to place its code “as close to the opening tag as possible on every page of your
website[.]”17
124. Google’s placement is designed to put priority on the re-directions of content and
user personal information from Chrome to Google. By placing the re-direction commands first,
Google ensures that the re-direction will occur as soon as possible so that Google will be able to
collect the contents and personal information even if the user quickly changes their mind or the
browser unexpectedly shuts down before the communication transmissions are complete.
125. The transmission process between Chrome and the website server is not discrete,
but instead involves a series of rapid, continuing, simultaneous data exchanges between Chrome
and the website server with data flowing both ways throughout the process and through dozens,
hundreds, or even thousands of different paths to reach their destination at the user or website.18
126. The data and content exchanges between Chrome and the website server continue
even after it appears that the website’s portion of the communication has been fully rendered on
the user’s screen.
127. At the same time that the transmission and content exchange of the communication
is happening between the user’s browser and the website server (i.e. the devices), the contents of
the communication (including the user’s specific request and information about the substance of
website’s side of the communication) are re-directed to third-parties.
17 See https://developers.google.com/tag-manager/quickstart
18 In one example of which counsel is aware, a recording of a single 288 second communication resulted in 22,779 separate packet transmissions—or 79 data packet transmissions per second.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 31 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 32 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 33 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 34 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 30 - Case No. CLASS ACTION COMPLAINT
144. The following charts compare the PI that Chrome sends to Google when the browser
is one of three states: first, when the user has affirmatively synched with another Google Account
(called “synched” below); second, when the user is not synched, but logged into another Google
service such as Gmail (“un-synched, with Gmail log-in”); and third, when the user is neither
synched nor logged into any other Google account (“un-synched, logged out”). As the test results
below confirm, Google causes Chrome to send PI to itself even when a Chrome user has not
authorized the data collection by synching.
145. Chrome copies and re-directs the content of the user’s GET request (the one asking
for the article on mental health) to Google Ads, Google DoubleClick, and Google Analytics in
identical fashion regardless of whether the user is synched.
PERSONAL INFORMATION CHROME SENDS TO ALL GOOGLE CONTENT OF COMMUNICATION WITH THE MERCURY NEWS
Identical for All Browser-States and All Google Entity Recipients Synched 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic
Un-Synched, Gmail Login 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic
Un-Synched, no Gmail Login 2020/05/24/qa-mental-health-tips-for-handling-the-pandemic.html
146. Similarly, the x-client-data header Chrome sends to Google Ads, Google
DoubleClick, and Google Analytics is identical regardless of whether the user is synched:
PERSONAL INFORMATION CHROME SENDS TO GOOGLE
X-CLIENT-DATA-HEADER Identical for All Browser-States and All Google Entity Recipients Except Analytics
Synched CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=
Un-Synched, Gmail Login CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=
Un-Synched, no Gmail Login CKy1yQEIkbbJAQimtskBCMS2yQEIqZ3KAQjnyMoBCLTLygE=
147. Similarly, the IP address and User-Agent data Chrome sends to Google Ads, Google
DoubleClick, and Google Analytics is identical regardless of whether the user is synched.
148. Similarly, the Google Analytics “cid” cookie or “Client ID” that Chrome sends to
Google is identical regardless of whether the user is synched:
PERSONAL INFORMATION CHROME SENDS TO ALL GOOGLE
“CID” – “CLIENT ID” COOKIE VALUE Identical for All Browser-States and All Google Entity Recipients
Synched cid=2007029474.1595353114
Un-Synched, Gmail Login cid=2007029474.1595353114
Un-Synched, no Gmail Login cid=2007029474.1595353114
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 35 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 31 - Case No. CLASS ACTION COMPLAINT
149. The third-party cookie data Chrome sends to Google Ads is identical for at least 11
different persistent, unique cookies for Un-Synched Chrome users regardless of whether signed
into Gmail, but not transmitted to Google if the Un-Synched Chrome user is not also logged into
Gmail:
PERSONAL INFORMATION CHROME SENDS TO GOOGLE ADS UNIQUE, PERSISTENT THIRD-PARTY COOKIE VALUES
Identical for Synched and Un-Synched w/ Gmail Login Synched SID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEgeQPEJdMF0tShKy
XCg_BgOS7PQHBWgLiW71F4Q.
__Secure-3PSID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEge QPEJdMF0tShKyXryW3ljJQRAkrQ 0hbzqbBHg. HSID=AFuEZ4mCJy32UrJK7 SSID=Aw06H6mNsRcQYQjqA APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB SAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7apJgjE __Secure-HSID=AFuEZ4mCJy32UrJK7 __Secure-SSID=Aw06H6mNsRcQYQjqA __Secure-APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB __Secure-3PAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7ap JgjENID=204=Yc40KkubQ69v_6cmRVkl6eEK6FPzgNcuct N7ndjgcsBeMwUO4uxFOCBmFTLG0HNLk7p13a0Le2tnE gjOllwZi62Jh4f4fjKFXMR8pL0Z4GqbjlUtejOv3Nvhtf1D n63dABgRTnJlRXPklAsY5hCMQfLCHCAKIrg01U p3q7q2fFN3Aj8lXaT9g12rT5QtcNgJAZP8dKmLevACA
Un-Synched, Gmail Login SID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEgeQPEJdMF0tShKy XCg_BgOS7PQHBWgLiW71F4Q.
__Secure-3PSID=zQfoZ_zUnJr9Gm_IL2u7ticWDqZNymdEge QPEJdMF0tShKyXryW3ljJQRAkrQ 0hbzqbBHg. HSID=AFuEZ4mCJy32UrJK7 SSID=Aw06H6mNsRcQYQjqA APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB SAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7apJgjE __Secure-HSID=AFuEZ4mCJy32UrJK7 __Secure-SSID=Aw06H6mNsRcQYQjqA __Secure-APISID=U1WjkuS385Vfizcg/AXMK-fI2Ee2PZnjSB __Secure-3PAPISID=tVrmANaeR-_R3mDV/ABTnEns79q7ap JgjENID=204=Yc40KkubQ69v_6cmRVkl6eEK6FPzgNcuct N7ndjgcsBeMwUO4uxFOCBmFTLG0HNLk7p13a0Le2tnE gjOllwZi62Jh4f4fjKFXMR8pL0Z4GqbjlUtejOv3Nvhtf1D n63dABgRTnJlRXPklAsY5hCMQfLCHCAKIrg01U p3q7q2fFN3Aj8lXaT9g12rT5QtcNgJAZP8dKmLevACA
Un-Synched, no Gmail Login none
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 36 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 32 - Case No. CLASS ACTION COMPLAINT
150. Despite Google’s demonstrated ability above to block the transmission of some
cookies, it still causes others to be transmitted, as noted below, regardless of whether the user is
synched:
151. Finally, Chrome sends other third-party cookie personal identifiers that qualify as
personal information, regardless of whether the user is synched. These other cookies have values
that change based on log-in status, but which are associated with the cookie values that are identical
across all browser-states, making them reasonably capable of being associated with specific users:
152. Combined, the data that Google causes Chrome to send to itself (illustrated above)
demonstrates that Google has designed Chrome to collect massive amounts of user personal
information and linked to websites visited, regardless whether the Chrome user synched.
153. Even worse, most of the PI is collected in forms other than cookies (for example, IP
address + user-agent data and the x-client-data identifier) meaning that Chrome will still transmit
the data even if the user is using cookie blockers.
PERSONAL INFORMATION CHROME SENDS TO GOOGLE DOUBLECLICK THIRD-PARTY COOKIES – IDE identical for all browser states
Synched IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-
N1x6ZCPzZOfbTN0bUarkMjwuYJMV
Un-Synched, Gmail Login IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-
N1x6ZCPzZOfbTN0bUarkMjwuYJMV
Un-Synched, no Gmail Login IDE=AHWqTUluD72jj7k5Rr5ipWiIeEiyaUdEyFm-
N1x6ZCPzZOfbTN0bUarkMjwuYJMV
PERSONAL INFORMATION CHROME SENDS TO GOOGLE DOUBLECLICK COOKIE SYNCHING
Identical for All Browser-States Synched ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-
omh5WOAbbL6y_qlGA
Un-Synched, Gmail Login ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-
omh5WOAbbL6y_qlGA
Un-Synched, no Gmail
Login
ID=8067c38bf1d71e0f:T=1595353118:S=ALNI_MacZyW8MLDn-
omh5WOAbbL6y_qlGA
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 37 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 38 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 39 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 40 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 41 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 42 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 43 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 44 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 45 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 46 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 47 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 48 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 49 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 50 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 51 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 52 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 53 of 93
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 54 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 50 - Case No. CLASS ACTION COMPLAINT
about her and will use that data to place Kindler in advertising categories from which Google will
profit from targeted advertising to her based on data that it did not have the right to obtain.
H. Google’s Improper Collection of PI from Plaintiffs and Other Un-Synched Chrome Users is a Serious Invasion of the Privacy and is Highly Offensive
194. Chrome is now the most widely used browser in the world and is used by 59 percent
of all desktop computers in the United States.19
195. Article I, § 1 of the California Constitution provides: “All people are by nature free
and independent and have inalienable rights. Among these are enjoying and defending life and
liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety,
happiness, and privacy.” The phrase “and privacy” was added by the “Privacy Initiative” adopted
by California voters in 1972.
196. The right to privacy in California’s constitution creates a right of action against
private as well as government entities.
197. The principal purpose of this constitutional right was to protect against unnecessary
information gathering, use and dissemination by public and private entities, including computer-
stored and generated dossiers and cradle-to-grave profiles on every American.
198. In its public statements, Google pays lip-service to the need to protect the privacy
of Internet communications. For example, On June 6, 2016, a coalition of technology companies
and privacy advocates came together to oppose Congressional efforts to expand government
surveillance of online activities through the Senate’s Intelligence Authorization Act for Fiscal Year
2017 and Senator Cornyn’s proposed amendments to the ECPA.
199. The joint letter, signed by the ACLU, Amnesty International and others was also
signed by Google. These organizations and companies argued (correctly) that obtaining sensitive
information about Americans’ online activities without court oversight was an unacceptable
privacy harm because it “would paint an incredibly intimate picture of an individual’s life” if it
19 Browser Market Share United States of America: May 2019 – May 2020, GlobalStats, https://gs.statcounter.com/browser-market-share/all/united-states-of-america (last visited June 19, 2020).
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 55 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 51 - Case No. CLASS ACTION COMPLAINT
included “browsing history, email metadata, location information, and the exact date and time a
person signs in or out of a particular online account.”
200. The letter further posited that the proposed online surveillance could “reveal details
about a person’s political affiliations, medical conditions, religion, substance abuse history, sexual
orientation” and even physical movements. The letter concluded that online surveillance raises
“civil liberties and human rights concerns.”
201. Google has also publicly declared that non-consensual electronic surveillance is
“dishonest” behavior. For example, earlier this month, Google announced an update to its
“Enabling Dishonest Behavior Policy” (effective August 11, 2020) restricting advertising for
spyware and surveillance technology. The new policy, without any hint of irony, will now “prohibit
the promotion of products or services that are marketed or targeted with the express purpose of
tracking or monitoring another person or their activities without their authorization.”
202. Through this new amendment to Google’s pre-existing policy, Google now
explicitly takes the position that nonconsensual surveillance of “browsing history” is “dishonest
behavior.”
203. Google has also publicly declared privacy to be a human right. In 2004 in a letter
from Google’s founders to shareholders at the IPO (included with the Company’s S-1 Registration
Statement filed with the SEC), Google declared its goal to “improve the lives of as many people as
possible.” This letter appears today on Google’s website on a page touting the company’s
commitment to be guided by “internationally recognized human rights standards,” including
specifically the human rights enumerated in three documents: The Universal Declaration of Human
Rights; the United Nations Guiding Principles on Business and Human Rights; and the Global
Network Initiative (“GNI”) Principles.
204. All three of these documents confirm that privacy is a human right and a violation
of privacy rights is a violation of human rights.
205. For example, the Universal Declaration declares that no one should be subject to
arbitrary interference with privacy, and even declares the right to the protection of laws against
such interference.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 56 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 52 - Case No. CLASS ACTION COMPLAINT
206. Similarly, the UN Guiding Principles for business identify privacy as a human right.
207. The third document, the GNI Principles, has an entire section dedicated to privacy
that begins: “Privacy is a human right and guarantor of human dignity. Privacy is important to
maintaining personal security, protecting identity and promoting freedom of expression in the
digital age.”
208. Finally, although not mentioned on Google’s website, in 1992 the United States
ratified the International Covenant on Civil and Political Rights, a human rights treaty that
guarantees privacy rights in Article 17.
I. Plaintiffs’ PI Is Property Owned by the Plaintiffs and Has Economic Value
209. The value of personal data is well understood and generally accepted as a form of
currency.
210. It is by now incontrovertible that a robust market for this data undergirds the tech
economy.
211. The robust market for user data has been analogized to the “oil” of the tech
industry.20 A 2015 article from TechCrunch accurately noted that “Data has become a strategic
asset that allows companies to acquire or maintain a competitive edge.”21 That article noted that
the value of a single Internet user—or really, a single user’s data—varied from about $15 to more
than $40.
212. The Organization for Economic Cooperation and Development (“OECD”) itself has
published numerous volumes discussing how to value data such as that which is the subject matter
of this Complaint, including as early as 2013, with its publication “Exploring the Economic of
20 The world’s most valuable resource is no longer oil, but data, The Economist (May 6, 2017), https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.
21 Pauline Glickman and Nicolas Glady, What’s the Value of Your Data? TechCrunch (Oct. 13, 2015), https://techcrunch.com/2015/10/13/whats-the-value-of-your-data/.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 57 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 53 - Case No. CLASS ACTION COMPLAINT
Personal Data: A Survey of Methodologies for Measuring Monetary Value”.22 The OECD
recognizes that data is a key competitive input not only in the digital economy but in all markets:
“Big data now represents a core economic asset that can create significant competitive advantage
for firms and drive innovation and growth.”23
213. In The Age of Surveillance Capitalism, Harvard Business School Professor
Shoshanna Zuboff notes Google’s early success monetizing user data prompted large corporations
like Verizon, AT&T and Comcast to transform their business models from fee for services provided
to customers to monetizing their user’s data—including user data that is not necessary for product
or service use, which she refers to as “behavioral surplus.”24 In essence, Professor Zuboff explains
that revenue from user data pervades every economic transaction in the modern economy. It is a
fundamental assumption of these revenues that there is a market for this data; data generated by
users on Google’s platform has economic value.
214. This is old news. In 2012, Google’s Chief Economist Hal Varian, in conversation
with the Economist, referred to one aspect of data’s value as “nowcasting,” or “contemporaneous
forecasting”—basically an ability to predict what is happening as it actually occurs.”25 This kind
of information clearly has economic value.
215. Professor Paul M. Schwartz writing in the Harvard Law Review, notes:
Personal information is an important currency in the new millennium. The monetary value of personal data is large and still growing, and corporate America is moving quickly to profit from the trend. Companies view this information as a corporate asset and have invested heavily in software that facilitates the collection of consumer information.
22 Exploring the Economic of Personal Data: A Survey of Methodologies for Measuring Monetary Value, OECD Digital Economy Paper No. 220 at 7 (Apr. 2, 2013), http://dx.doi.org/10.1787/5k486qtxldmq-en.
23 Supporting Investment in Knowledge Capital, Growth and Innovation, OECD, at 319 (Oct. 13, 2013), https://www.oecd-ilibrary.org/industry-and-services/supporting-investment-in-knowledge-capital-growth-and-innovation_9789264193307-en.
24 Shoshanna Zuboff, The Age of Surveillance Capitalism 166 (2019).
25 K.N.C., Questioning the searches, The Economist (June 13, 2012), https://www.economist.com/schumpeter/2012/06/13/questioning-the-searchers.
Case 5:20-cv-05146 Document 1 Filed 07/27/20 Page 58 of 93
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 54 - Case No. CLASS ACTION COMPLAINT
216. This economic value has been leveraged largely by corporations who pioneered the
methods of its extraction, analysis, and use. However, the data also has economic value to users.
Market exchanges have sprung up where individual users like Plaintiffs herein can sell or monetize
their own data. For example, Nielsen Data and Mobile Computer will pay users for their data.26
Google itself has launched apps that pay users for their data directly.27 Likewise, apps such as Zynn,
a TikTok competitor, pay users for to sign up and interact with the app.28
217. There are countless examples of this kind of market, which is growing more robust
as information asymmetries are diminished through revelations to users as to how their data is being
collected and used.
218. Indeed, Google once paid users for the very data it now improperly harvests from
Chrome:
Google is building an opt-in user panel that will track and analyze people’s online behaviors via an extension to its Chrome browser, called Screenwise. Users that install the plug-in will have the websites they visit and the ways in which they interact with them recorded, and they will then be paid with Amazon gift cards worth up to $25 a year in return.29
219. As Professors Acquisti, Taylor and Wagman relayed in their 2016 article “The
Economics of Privacy,” published in the Journal of Economic Literature:
Such vast amounts of collected data have obvious and